Cookie Horrors: Extreme Data Mining and Online Spying

Do you block or regularly delete Web cookies?… Nice one! Unfortunately, however, not everyone wants to congratulate you. Indeed, it’s probably fair to say that the Internet as a whole hates your very guts. But don’t worry. The Internet has many sly solutions to your increasingly futile attempts to regain some privacy, and the more of us who block or delete cookies, the worse things are likely to get.

Let’s not mince words. Finding out exactly who you are, what you like, what you dislike, where you are on the Internet, and never letting you out of sight, is the Holy Grail of online capitalism. Any online business which manages to achieve real reliability and accuracy in this field is going to get very, very rich indeed. And where there are huge wads of money at stake, you can bet your last fiver that those chasing the cash will go to extraordinary lengths to get what they want.

Aggressive Web powers know, when you’re blocking cookies, that you’re saying no to online tracking. But they find workarounds to spy on you regardless. Those are the sort of people we’re all dealing with, and here are some of the choice antics they indulge in…

DELIBERATELY MAKING IT HARD OR IMPOSSIBLE FOR YOU TO REJECT SURVEILLANCE

Forcing you to enable JavaScript. Forcing you to enable Flash. Forcing you to update Flash. Forcing you to update your browser. All the businesses who push you into accepting these settings and updates will insist that they do so for your benefit, but do you really think a two-year-old video player could somehow be incapable of playing a new video? Of course not. A video is video.

The reason the Web powers constantly force you to ‘upgrade’ stuff and keep your scripting functions active, is that they want to use new tracking and recognition scripts, install more reliable tracking beacons, profile you with greater accuracy, and tag you with indentifiers you can’t easily destroy.

These aggressive companies don’t need to take your login through umpteen hidden domains each time you want to use their sites. In fact it’s more hassle for them. The reason they make their login redirection sequences so complicated is so you’ll give up trying to set cookie exceptions and just accept all cookies. Then their partners can gather all your data too, and the whole log of your progression round the Web can be collated, then sold to salivating sales departments, insurance companies, and whoever else might want to get their grubby hands on it.

THE “SECURITY” AND “ENHANCEMENTS” BLAG

User security is among the pretexts adopted for the Web’s enforcement of perpetual software upgrades, but: a) no one should be forcing you to change your security levels when they have no idea what your security needs are, and b) the actual virus-related security threats for careful Web users are extremely low. I binned my antivirus software well over two years ago, and I haven’t had a hint of a virus since. Antivirus is, in itself, just a pretext for data mining. It’s anti-spyware software that is itself a piece of spyware. What else are the AV companies getting out of it when they’re giving you the program for free? You, not the AV routine, are the product.

The Web’s other big excuse for the constant pressure to upgrade is enhancements to the user experience. But can you honestly say that when you play a Flash video today it looks inherently different from the way it looked five years ago? Can you honestly say that when you click a JavaScript button it provides a better experience than clicking a simple HTML button?

Tech progress does facilitate slicker tricks with the passage of time, but most so-called operational enhancements make no difference to most people, and some are more annoying. All many of the ‘enhancements’ seem to succeed in doing is place a bigger drain on resources, with insignificant real-terms user gain.

Let’s not kid ourselves: whilst security and experience-enhancement are real issues, as I explained in my Digital Fingerprinting post, they’re also used as pretexts or ruses for data mining businesses to drive through more effective tracking systems.

Never underestimate the pressure on makers of free software to sell out to the data mining and spying industry – and that includes the people who provide browsers, JavaScript, Flash, etc. All professional operations have to get funding from somewhere, and if you’re not seeing ads within the software itself, then where, realistically, is that funding going to come from?

REGENERATING WEB COOKIES YOU’VE DELETED

It’s often considered that the only way standard cookies can be regenerated is through the use of LSO (Flash-based) ‘supercookies’. LSO cookies, which are designed to evade normal browser deletion processes, are stored in a location on your drive which is common to ALL the browsers you use, and that’s the reason they’re a tracker’s dream. If you switch browsers, LSO cookies can effectively transfer your conventional cookie data across so your history is maintained.

But other tactics can be used to regenerate deleted cookies. It’s even possible for remote sites to restore your deleted cookies using page content stored in your browser’s cache. It’s become necessary for users to cover so many bases in order to ensure they’re not tracked, that it’s beyond the realms of practicability for Mr/Ms Average to stay private.

CANVAS FINGERPRINTING

Canvas fingerprinting is THE most difficult element of modern tracking to combat. It differs from the earlier incarnation of digital fingerprinting in that it seeks to fingerprint the precise rendering of your graphical display.

It’s explained in this eye-opening study, but essentially it exploits the individual characteristics of your graphics card, your monitor, your OS, your bank of fonts, your browser, etc, which, when combined, render text in a pretty unique way. Sampling the rendering of that text, in combination with other data such as your approximate location, can identify a computer with considerable accuracy – even without cookies.

A huge number of major sites use this technique, without divulging the fact that they’re doing so. If they loitered outside your home peeping through the window after you’d expressly requested privacy, they’d be arrested. But because it’s all virtual, no one takes issue. Hardly anyone, indeed, even knows this type of online spying goes on. People assume a level of safety once they’ve blocked cookies, and governments don’t want to alert the public to this higher-level stuff, because it comes too close to hinting at what they themselves are up to.

“CALM DOWN DEAR, IT’S JUST A COMMERCIAL”

But the immortal catchphrase above, coined by movie director Michael Winner in a range of UK insurance ads, resonates well with this subject. Maybe we are a little too quick to get angry when people bid for what is, in effect, really only their share of a two-way reward system.

Ultimately, we all use ‘free’ services on the Internet, and most of us know that when we see the word ‘free’ in relation to a commercial offering, the one overwhelming inevitability is that somehow, at some point, we’re going to end up paying for it.

I’m admittedly privacy-obsessed, and I don’t think anyone could hate being tracked more than me. But I can also see the picture from the other side. I know what it’s like to work on Internet projects and get very little back in return. People are selfish, and they don’t care who puts time and effort into providing for them on the Internet. If you let them, they take it all for granted, grab whatever’s there, and then immediately start thinking about what they’re going to grab next. It’s human nature.

So do I blame businesses for exploiting our voracious appetite for free services and products? Not really, no. The Internet built itself on a free culture, and once one decent free product becomes available, the core of the market has to follow suit. People complain vehemently about Google, Microsoft, Yahoo! or whoever scanning their emails for valuable data, but will they actually dump those free services and pay for a secure and private option, such as the one offered by Ixquick? Typically not.

The privacy invasion therefore can’t be THAT serious a problem. I suspect that, given the choice between a free Internet with spies at every turn, and a true privacy-protected Internet that costs serious cash to use, almost everyone would take the former option.

My concern is less that some modern online tracking is deliberately hidden, and more that the authorities are not imploring any of the businesses involved to behave more respectfully. Passing regulations to make conventional cookie use more transparent, when conventional cookies were always pretty transparent in the first place, and other forms of tracking are carried out in secret, looks like the government are trying to lull us into a false sense of security.

It’s like painting “Warning! This is a door!” signs on bright red wooden doors, whilst leaving barely visible glass doors unmarked. Why would you do something as illogical as that? It’s not protecting people. It’s just an attempt to look like you are. Perhaps the current state of play with online privacy says more about the shallow PR exercise of government than the inevitable slyness of money-mad corporations.